Vyatta Gateway contextualization and customization

Vyatta gateway has provided a lot of cool network features but sometimes the default behaviour of Vyatta gateway do bring troubles in specific scenario.
One real world example is about IPSec. On Vyatta gateway, IPSec function is offered by strongSwan. StrongSwan IPSec implementation will place a priority route which destination is the IPSec remote-prefix into Vyatta’s kernel. This priority route will take precedence over all existing routes so long as the destination is covered by the IPSec remote-prefix. In simple word, this means all traffic covered by remote-prefix will send out via IPSec tunnel although you have more specific route defined in routing table. This behaviour is different from Cisco or Juniper router. However, you will see some unpleasant result when you (sometimes have to) define your IPSec remote-prefix as 0.0.0.0/0: all your traffic are sent to IPSec tunnel no matter what kind of routes you have configured in Vyatta routing table.

 

Some very smart guys have worked out a workaround to change Vyatta’s default behaviour by manually updating the Vyatta IPsec.conf file (/etc/ipsec.conf).  But the customized version of ipsec.conf will be replaced by system auto-generated ipsec.conf once the Vyatta is rebooted.
To overcome the gap, we need to perform Vyatta gateway contextualization or customization. After some research, I find the contextualization or customization can be achieved by a script “vyatta-postconfig-bootup.script” under directory /config/script/.

 

vyatta@vyatta:/config/scripts$ more vyatta-postconfig-bootup.script
#!/bin/sh
# This script is called from /etc/rc.local on boot after the Vyatta
# configuration is fully applied. Any modifications done to work around
# unfixed bugs and implement enhancements which are not complete in the Vyatta
# system can be placed here.

As the script description suggests it will be called when Vyatta is booted.
I write down a very simple script to overwrite the system auto-generated ipsec.conf file with customized ipsec.conf and restart the IPSec process to apply the new ipsec.conf. Then vyatta-postconfig-bootup.script is set to call the new script so that customized ipsec.conf will be kept after each reboot.

vyatta@vyatta:/config/scripts$ more runafterreboot
cp /etc/ipsec.conf.bak /etc/ipsec.conf
/etc/init.d/ipsec restart

vyatta@vyatta:/config/scripts$ more vyatta-postconfig-bootup.script
#!/bin/sh
# This script is called from /etc/rc.local on boot after the Vyatta
# configuration is fully applied. Any modifications done to work around
# unfixed bugs and implement enhancements which are not complete in the Vyatta
# system can be placed here.
/config/scripts/runafterreboot

 

We test the above solution and it works well. laugh

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s